# Correct-by-Construction Code Synthesis from 1 Presentations... Correct-by-Construction Code...

date post

23-May-2020Category

## Documents

view

0download

0

Embed Size (px)

### Transcript of Correct-by-Construction Code Synthesis from 1 Presentations... Correct-by-Construction Code...

Correct-by-Construction Code Synthesis from Formal Models for Safe and Secure

Applications

This research was funded by Air Force Rome Labs

Sandeep Shukla

FERMAT Lab,

Centre for Embedded Systems for Critical Applications

Bradley Department of Electrical and Computer Engineering

Virginia Tech, USA.

Topic Area: Usability of Formal Methods towards System Certification

shukla@vt.edu

Safety-Critical Software

Safety-Critical Software Requirements

3

Deterministic

Functionally Correct

Tolerant to Fault Models

Satisfies Real-Time Properties

Traditional Development

4 Clarus Concept of Operations. Publication No. FHWA-JPO-05-072, Federal Highway Administration (FHWA), 2005

A posteriori verification – cost, delays, quality problems

http://www.itsdocs.fhwa.dot.gov/jpodocs/repts_te/14158.htm http://www.itsdocs.fhwa.dot.gov/jpodocs/repts_te/14158.htm http://www.itsdocs.fhwa.dot.gov/jpodocs/repts_te/14158.htm

A Priori Verification and Verified Refinement

• Requirements models

Correct-by-Construction Synthesis

• A Modeling Language

– needed to capture intended computation and communications

– Must be at a high enough abstraction level

– must have formal semantics

– must be verifiable using formal techniques

– refinements towards implementation must be provably correctness preserving steps

6

All possible Behaviors of a Program could have millions of paths

7

Testing, Coverage (MC/DC and others) cannot guarantee too much

Modeling Language candidates

8

State based: Kripke

Structure

State based: Automata

Temporal Logic

Based

AG p

EF q

Requirements Models • These usually

– Are highest level

– Abstracts away implementation constraints

– Abstract behavior may be nondeterministic

– All behaviors possible in the requirements model may not be implemented based on additional constraints

– Correctness of implementation = set of behaviors of the spec is a super set of behaviors of the implementation

9

What level of Abstraction is Given?

• What if control engineer already gave me an algorithm for control?

• What if O/S designer already has a detailed algorithm in a pseudo notation

• What if the data path is already given

• Then implementation behavior must match the abstract behavior

• Some cases, it can be a subset 10

Stream based Specification • Embedded systems are long

lived

• React to input events

• The inputs keep coming – hence form a set of streams

• During processing we convert one stream to another and so on until outputs are computed

11

Input Data/Event Streams get processed, come out as Output

Data/Event Streams Some times, feedback is used to

retain state information 12

Computation

in p

u ts

o u

tp u

ts

????

Choices

• Control/Dataflow Automata

• Parallel Control/Dataflow Automata

• Dataflow networks

– Synchronous Data flow (SDF)

– …..

– KPN

• Petrinets

• Process Algebras

• ….

13

Computes

on Data

streams

Data

computation

scheduled

along

Control

locus

Control centric

Data computation

abstracted

No Data value

dependent control

Dataflow Network

• Determinism at crucial locations of computation loci – important

• Local non-determinism – fine

• Composability – important – KPN – too strong requirements

– SDF – too low expressibility

– Single Clocked dataflow vs. Multi-clocked dataflow

14

Data flow examples

• y:= f(x) + g(x) | o := h(y)

15

f

g

+ h x

y o

Input x

Output o

Internal y

While (1){

Read(x);

y = f(x) + g(x);

o = h(y);

}

NO STATE VARIABLE

Example 2

• S := S’ + x | S’ = S$ init 0

16

+

$ 0

x S

S’

Input x;

Output S;

Internal S’;

S’ = 0;

While (1) {

Read(x);

S = S’ + x;

Output(S);

S’ = S;

}

STATE VARIABLE

Example 3 y := x when c | c := true when (x >0) default false

17

input x;

output y;

Internal c;

c = false;

While(1){

Read(x);

c= (x>0) ? T : F;

if ( c )

y = x;

}

x

0 > y

x>0

c

F

sample sample

T

Example 4

• y := (x > 0) | z := ((x + 1) when y) default x

18

x >

0

1 +

x

x

x+ 1

z

y

input x;

output z;

Internal y;

y = false;

While(1){

Read(x);

Y = (x>0);

if (y) {

z = x + 1;

else

z = x;

}

MRICDF Dataflow Network

19

Model of Time

20

Reaction: Computation triggered by one or more input events,

may or may not require other inputs during the reaction,

a reaction ends by computing all the required output events

Events: Each input, output or internal variable changes value by

computation or external intervention – each such occurrence

Ordering: Events are temporally and spatial ordered. Temporally

they may be partially ordered (think threads)

Signal: Events occurring to a single variable (input, output, or

internal) have to be totally ordered

Ordering of Reactions: Reactions are maximal computation in response to

one or more input events, leading to internal variable, output computation,

and cascading in response to those changes – until no more new event can

occur without another stimulus event

Model of Time (2)

21

Logical Time: Each reaction is called an abstract instant or logical instant

Ordering of Logical Instants: Partially ordered but may be sequential

Synthesis of Dataflow Specifications: creating equivalence classes of

reactions that are characterized by same data flow

Not all logical instants has the same data flow – an input may be present

in one logical instant, and in another – not

Once the equivalence classes of reactions are found – schedule the

reactions

Then order the equivalence classes in the right implementation code

What is MRICDF? • Multi-Rate Instantaneous Communication

Data Flow

• A Visual Language (with a textual substitute) to express a computation over concurrent streams of data

• A stream of data/events –> a totally ordered set of events

• Why care about streams of Data?

22

Examples

23

f

g

+ h x

y o How many equivalence classes?

One.

One reaction type – keeps repeating

sequentially ad infinitum.

Read(x);

y = f(x) + g(x);

o = h(y);

Example 2

24

+

$ 0

x S

S’

How many equivalence classes?

One.

One reaction type – keeps repeating

sequentially ad infinitum.

Read(x);

S = S’ + x;

Output(S);

S’ = S;

Example 3

25

How many

equivalence

classes? Read(x);

when x > 0

c = true;

y = x;

two

when x y x>0

c

F

sam

ple sam ple T

Example 3.1

26

x

0

y

c

T

How many

equivalence

classes?

READ(x)

when x > 0

c = true c = false

y = x; z = T;

z = T;

when x

Example 4

27

f

g

x

y

> 5

> 5

z

h

smpl

u

v

w

p

Input x, y

Output u,v, z

Internal w, p

u = f(x) |

v = g(y) |

w= u when (x > 5) |

p = v when (y > 5) |

z = h(w, p)

Additional constraint

(x > 5) ^= (y > 5)

Synchronization = Stretch an Instant

*View more*